From bbe9c3d51afa33d883abed3700d33c256afff46b Mon Sep 17 00:00:00 2001 From: Johannes Bauer Date: Fri, 11 Aug 2017 19:00:21 -0400 Subject: [PATCH] Clarify CLI OCSP documentation This fixes issue #3043, which ultimately was reported because documentation was not clear on the meaning of the "-ignore_err" option. Update both command line documentation and add this option to manpage. Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/4143) --- apps/ocsp.c | 2 +- doc/man1/ocsp.pod | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/apps/ocsp.c b/apps/ocsp.c index 0b938328d4..3e1201ff73 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -108,7 +108,7 @@ const OPTIONS ocsp_options[] = { {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"}, {"port", OPT_PORT, 'p', "Port to run responder on"}, {"ignore_err", OPT_IGNORE_ERR, '-', - "Ignore Error response from OCSP responder, and retry "}, + "Ignore error on OCSP request or response and continue running"}, {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod index 058462f318..42621df336 100644 --- a/doc/man1/ocsp.pod +++ b/doc/man1/ocsp.pod @@ -74,6 +74,7 @@ B B [B<-no_cert_checks>] [B<-no_explicit>] [B<-port num>] +[B<-ignore_err>] [B<-index file>] [B<-CA file>] [B<-rsigner file>] @@ -343,6 +344,12 @@ specified in the B option is used. Port to listen for OCSP requests on. The port may also be specified using the B option. +=item B<-ignore_err> + +Ignore malformed requests or responses: When acting as an OCSP client, retry if +a malformed response is received. When acting as an OCSP responder, continue +running instead of terminating upon receiving a malformed request. + =item B<-nrequest number> The OCSP server will exit after receiving B requests, default unlimited. -- 2.25.1